rsyslog.conf配置文件

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#加载rsyslog-mysql,前提需要yum install rsyslog-mysql。可以向mysql中写入日志
$template insertpl,"insert into SystemEvents (Message, Facility, FromHost, FromIP, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag, processid, appname) values ('%msg%', %syslogfacility%, '%fromhost-ip%', '%fromhost-ip%', %syslogseverity%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%', '%procid%', '%app-name%')",SQL
$Modload ommysql
$WorkDirectory /var/lib/rsyslog

#自定义日志内容模版
$template myFormat,"%timestamp% %fromhost-ip% %syslogtag%======%msg%\n"
$template shou,"%timestamp% %hostname% %app-name% %fromhost-ip% %syslogtag% %msg%\n"
#rsyslogv7及以上才能使用的新版模版
template(name="zhangshou" type="list") {
        property(name="timestamp" dateFormat="rfc3339")
        constant(value=" host=")
        property(name="hostname")
        constant(value=" fromip=")
        property(name="fromhost-ip")
        constant(value=", relayHost=")
        property(name="fromhost")
        constant(value=", tag=")
        property(name="syslogtag")
        constant(value=", programName=")
        property(name="programname")
        constant(value=", procid=")
        property(name="procid")
        constant(value=", facility=")
        property(name="syslogfacility-text")
        constant(value=", sev=")
        property(name="syslogseverity-text")
        constant(value=", appName=")
        property(name="app-name")
        constant(value=", msg=")
        property(name="msg" )
        constant(value="\n")
        }
$ActionFileDefaultTemplate myFormat
# 根据客户端的IP单独存放主机日志在不同目录,zhangshou需要手动创建（日志服务器需要做的配置）
$template RemoteLogs,"/var/log/zhangshou/%fromhost-ip%/%programname%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
# 排除本地主机IP日志记录，只记录远程主机日志
:fromhost-ip, !isequal, "127.0.0.1" ?RemoteLogs
# 忽略之前所有的日志，远程主机日志记录完之后不再继续往下记录（匹配了此规则后停止后续匹配）
#& ~

$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
#启用UDP的514接收客户端日志
$ModLoad imudp
$UDPServerRun 514
#启用TCP的514接收客户端日志
$ModLoad imtcp
$InputTCPServerRun 514
#新版客户端需要配置，表示向服务端发送日志时不限制速度
$SystemLogRateLimitInterval 0
#所有日志设施的所有日志级别都记录到127.0.0.1的数据库syslog，账号是root密码是123456
*.*                                                     :ommysql:127.0.0.1,syslog,root,123456;insertpl
#以下是配置文件自带的，将信息记录到文件                                   使用shou模版记录日志内容，而不使用默认模版
*.info;mail.none;authpriv.none;cron.none                /var/log/messages;shou
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
local0.*                                                /var/log/sshd.log